IT Careers Blog

How to Build a Successful IT Security Career



IT security pros can never stop learning about cyber threats and best security practices. Industry professionals recommend a mix of activities to continually prep for a successful IT security career.

Network Connections
Network and build knowledge by joining local chapters of IT security trade associations or online communities, suggests Amy Hagerman, assistant vice president/IT security manager at Independent Bank in Ionia, Michigan. “It’s very cost effective.”

Such groups could include:

A working friendship with a group of respected, trusted peers can be a huge resource to everyone in the group. It provides a chance to learn about new challenges or technologies, and discuss problems. “Once you get plugged into some of these groups, you build up a rapport over time, so you know who really knows what they are talking about, and whom you are able to trust,” says Hagerman.

Get Educated
All three IT security professionals interviewed for this blog earned IT-related bachelor’s degrees; two invested in graduate level study. “I had to take the time to get in and learn how things worked, why things like firewalls for example, worked,” says Justin Opatrny, network planner for General Mills, who holds a bachelor’s degree in management information systems from Iowa State and a Master’s in Information Assurance from Norwich University.

Understanding the fundamentals of networking, operating systems, security threats and risk is key to professional success. “Anybody can learn to use an IT security tool like a firewall or an IPS (intrusion prevention system),” says Opatrny. “You need to know why you are using that tool, what advantages does it have, what disadvantages does it have—so you understand the full picture. Without those foundations, you’re likely to have less success running and securing your systems properly.”

Get Certified
“Certification can be a great career builder,” contends Opatrny, who holds not only the CompTIA Security+ credential, but also the CISSP from ISC2 and forensic analyst and systems/network auditing credentials from GIAC. “It gives you some level of validation that you have a base knowledge of skill.” That can be a differentiator to an entry-level IT security employee. But he adds, “You’d better be able to prove on the job that you can apply these skills and knowledge—not just that you are good at taking tests.”

Get Involved
Becoming involved with trade industry groups, such as CompTIA or ISSA, is good for the industry, and it’s good for you. Opatrny teaches, writes industry articles and volunteers as a subject matter expert; both Hagerman and Lee Myers, chief technology officer for the Archdiocese of Philadelphia, helped write CompTIA’s CASP exam. The “Share the Wealth” mentality is pretty prevalent in IT security, says Opatrny. “We are already at a disadvantage against these malicious agents. We have to take every chance we have to work with our peers, share what we’ve learned or experienced, so we don’t have to figure it all out ourselves.”

Keep Reading & Researching
Beyond setting RSS feeds or Google News Reader, popular online resources for IT security professionals include:

  • BugTraq — Security Focus mailing list for the “detailed” discussion and announcement of computer security vulnerabilities: what they are, how to exploit them, and how to fix them. “There’s more information on there than any one person could absorb,” says Opatrny.
  • Center for Internet Security (daily cyber security tips, white papers, guides, videos and podcasts)
  • Experts Exchange (online forum where IT professionals provide answers on tech topics)
  • ISC2 (blog, journal, magazine)
  • ISSA (journal, executive forum, webcasts, whitepapers, e-news)
  • NIST’s Special Publications (800) series, and FIPS publications. The SP800 series are documents from NIST’s Information Technology Laboratory, featuring titles such as “Guidelines for Securing Wireless Local Area Networks” (published February 2012). “The SP800 Series is a great reference for learning different aspects of security,” says Opatrny. Myers adds that NIST FIPS (Federal Information Processing Standards) “give you a great framework.”
  • SANS Institute (research, whitepapers, newsletters, webinars)
  • Secure Computing (monthly magazine and online news)
  • U.S. Computer Emergency Readiness Team— The Home and Business section offers basic tutorials (e.g., “Understanding Denial of Service Attacks”), as well as alerts current security issues, vulnerabilities, and exploits and weekly summaries of new vulnerabilities (and patch information when available).
  • Verizon 2011 Investigative Response (IR) Caseload Review and its Data Breach Investigations Report (DBIR) — The DBIR is a “very thorough evaluation of all of the incidents Verizon has responded to over the last year—where the attacks are coming from, how effective they’ve been, areas getting attacked,” says Hagerman. “I find that very helpful in identifying what we should be protecting against.”
 

Get Conferenced
Attending a national IT security conference, such as EMC’s RSA Conference, for the diversity of speakers and presenters is a great option, but local or regional IT security conferences can be more time- and cost-efficient. For example, Opatrny attends Secure360, the educational conference of the Upper Midwest Security Alliance (UMSA)

Staying on top of IT security is a continual, every day process. “That’s one of the reasons I love it,” says Hagerman. “It’s fascinating and always changing. It’s one of my favorite things to do.”

Contributors to this blog:
Amy Hagerman (CISSP, CASP, Project+, Security+, Network+ and A+) holds a bachelor’s degree in information security, with an associate’s degree in networking, from Davenport University. She is planning to retake the Offensive Security Certified Professional (OSCP) exam and—“for fun”—is pursuing the CompTIA Linux+ credential.

Lee Myers (CISSP, CASP, Security+, Linux+, Network+, A+, MCP, CNA, Strata, and DCSE) holds a bachelor’s degree in computer science and technology from Drexel University. He’s currently completing a Master’s degree in Information Science, also at Drexel.

Justin Opatrny (GCFA, GSNA, CISSP and Security+) earned a bachelor’s degree in management information systems from Iowa State and a Master’s in Information Assurance at Norwich University.

Comment

  1. RadEditor - HTML WYSIWYG Editor. MS Word-like content editing experience thanks to a rich set of formatting tools, dropdowns, dialogs, system modules and built-in spell-check.
    RadEditor's components - toolbar, content area, modes and modules
       
    Toolbar's wrapper 
     
    Content area wrapper
    RadEditor's bottom area: Design, Html and Preview modes, Statistics module and resize handle.
    It contains RadEditor's Modes/views (HTML, Design and Preview), Statistics and Resizer
    Editor Mode buttonsStatistics moduleEditor resizer
      
    RadEditor's Modules - special tools used to provide extra information such as Tag Inspector, Real Time HTML Viewer, Tag Properties and other.
       

Subscribe

Subscribe to CompTIA News via RSS
CompTIA A+ is one of the best certifications in the world. I would rate this certification higher than many other vendor certifications because it tests a candidate's knowledge on all fields of information technology and not on one particular domain. It's a gate pass for your first job. Thank you CompTIA for enhancing my life and blessing me with a better future.
Lakhmi Ahuja
Gujrat, India

Read Others | Share Your Story